1 |
On 10/26/2012 10:45 AM, Stan Sander wrote: |
2 |
> Probably something I don't have tweaked just right, but a while ago when |
3 |
> I tried to sudo it failed. I built this system at least 6 months ago |
4 |
> and followed the procedures that were posted at that time, but then |
5 |
> wasn't able to work towards putting SELinux in enforcing mode until this |
6 |
> past week. |
7 |
> |
8 |
> sudo: unable to get default type for role sysadm_r |
9 |
> sudo: unable to execute /bin/bash: Invalid argument |
10 |
> |
11 |
> I tried again after running newrole to switch to sysadm_r, but got the |
12 |
> same result. |
13 |
> |
14 |
> The denials in the logs were: |
15 |
> |
16 |
> Oct 26 09:19:45 iax sudo: stan : TTY=pts/1 ; PWD=/home/stan ; |
17 |
> USER=root ; COMMAND=/bin/bash |
18 |
> Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session opened |
19 |
> for user root by stan(uid=0) |
20 |
> Oct 26 09:19:45 iax kernel: type=1400 audit(1351264785.307:8824410): |
21 |
> avc: denied { read } for pid=20130 comm="sudo" name="default_type" |
22 |
> dev="sda3" ino=6717702 scontext=stan:staff_r:staff_sudo_t |
23 |
> tcontext=system_u:object_r:default_context_t tclass=file |
24 |
> Oct 26 09:19:45 iax sudo[20129]: pam_unix(sudo:session): session closed |
25 |
> for user root |
26 |
> |
27 |
> find / -inum 6717702 |
28 |
> /etc/selinux/strict/contexts/default_type |
29 |
> |
30 |
> I checked and indeed none of the sudo types have permissions for that |
31 |
> file and I don't see any booleans to change it either, so what am I missing? |
32 |
> |
33 |
> sesearch -t default_context_t -c file -ACd |
34 |
> Found 19 semantic av rules: |
35 |
> allow initrc_t default_context_t : file { ioctl read getattr lock |
36 |
> open } ; |
37 |
> allow run_init_t default_context_t : file { ioctl read getattr lock |
38 |
> open } ; |
39 |
> allow useradd_t default_context_t : file { ioctl read getattr lock |
40 |
> open } ; |
41 |
> allow sysadm_dbusd_t default_context_t : file { ioctl read getattr |
42 |
> lock open } ; |
43 |
> allow system_dbusd_t default_context_t : file { ioctl read getattr |
44 |
> lock open } ; |
45 |
> allow sulogin_t default_context_t : file { ioctl read getattr lock |
46 |
> open } ; |
47 |
> allow staff_dbusd_t default_context_t : file { ioctl read getattr |
48 |
> lock open } ; |
49 |
> allow local_login_t default_context_t : file { ioctl read getattr |
50 |
> lock open } ; |
51 |
> allow sysadm_t default_context_t : file { ioctl read getattr lock |
52 |
> open } ; |
53 |
> allow setfiles_t default_context_t : file { ioctl read getattr lock |
54 |
> open } ; |
55 |
> allow user_dbusd_t default_context_t : file { ioctl read getattr lock |
56 |
> open } ; |
57 |
> allow sshd_t default_context_t : file { ioctl read getattr lock open } ; |
58 |
> allow semanage_t default_context_t : file { ioctl read write create |
59 |
> getattr setattr lock append unlink link rename open } ; |
60 |
> allow staff_t default_context_t : file { ioctl read getattr lock open |
61 |
> } ; |
62 |
> allow newrole_t default_context_t : file { ioctl read getattr lock |
63 |
> open } ; |
64 |
> allow nscd_t default_context_t : file { ioctl read getattr lock open } ; |
65 |
> allow udev_t default_context_t : file { ioctl read getattr lock open } ; |
66 |
> allow crond_t default_context_t : file { ioctl read getattr lock open |
67 |
> } ; |
68 |
> allow user_t default_context_t : file { ioctl read getattr lock open } ; |
69 |
> |
70 |
|
71 |
Can you give us the command you were trying to run (for instance 'sudo |
72 |
-r sysadm_r -t sysadm_t repoman manifest') |
73 |
|
74 |
also, 'rlpkg -a -r' just in case (I know you said you did it, but do it |
75 |
again anyway :D |
76 |
|
77 |
-- |
78 |
-- Matthew Thode (prometheanfire) |